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Abstract. We propose a model-based approach to the model checking problem for 
recursive schemes. Since simply typed lambda calculus with the fixpoint operator, \Y- 
calculus, is equivalent to schemes, we propose the use of a model of AY-calculus to 
discriminate the terms that satisfy a given property. If a model is finite in every type, this 
gives a decision procedure. We provide a construction of such a model for every property 
expressed by automata with trivial acceptance conditions and divergence testing. Such 
properties pose already interesting challenges for model construction. Moreover, we argue 
that having models capturing some class of properties has several other virtues in addition 
to providing decidability of the model-checking problem. As an illustration, we show a very 
simple construction transforming a scheme to a scheme reflecting a property captured by a 
given model. 


1. Introduction 

We are interested in the relation between the effective denotational semantics of the simply 
typed AU-calculus and the logical properties of Bohm trees. By effective denotational 
semantics we mean semantic spaces in which the denotation of a term can be computed; 
in this paper, these effective denotational semantics will simply be finite models of the 
AU-calculus, but Y will often be interpreted neither as the least nor as the greatest fixpoint. 

Understanding properties of Bohm trees from a logical point of view is a problem that 
arises naturally in the model checking of higher-order programs. Often this problem is 
presented in the context of higher-order recursive schemes that generate a possibly infinite 
tree. Nevertheless, higher-order recursive schemes can be represented faithfully by AU-terms, 
in the sense that the infinite trees they generate are precisely the Bohm trees AU-terms 
define. 
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The technical question we address here is whether the Bohm tree of a given term is 
accepted by a given tree automaton. We consider only automata with trivial acceptance 
conditions which we call TAC automata. The principal technical challenge we face is that we 
allow automata to detect if a term has a head normal form. We call such automata insightful 
as opposed to Q-blind automata that are insensitive to divergence. For example, the models 
studied by Aehlig or Kobayashi |Aeh07l IKobOQb] are O-blind. The construction of a model 
of the AT-calculus that can at the same time represent safety properties (as defined by 
trivial automata) and check whether a computation is diverging is truly challenging. Indeed, 
non-convergence has to have a non-standard interpretation, and this affects strongly the 
way the interpretations of terms are computed. As we show here, Y combinators cannot 
be interpreted as an extremal hxpoint in this case, so known algorithms for verification of 
safety properties cannot take non-convergence into account in a non-trivial way. 

Let us explain the difference between insightful and fl-blind conditions. The dehnition of 
a Bohm tree says that if the head reduction of a term does not terminate then in the resulting 
tree we get a special symbol fl. Yet this is not how this issue is treated in all known solutions 
to the model-checking problem. There, instead of reading fl, the automaton is allowed 
to run on the infinite sequence of unproductive reductions. In the case of automata with 
trivial conditions, this has as an immediate consequence that such an infinite computation 
is accepted by the automaton. From a denotational semantics perspective, this amounts 
to interpreting the hxpoint combinator Y as a greatest hxpoint on some hnite monotonous 
model. So, for example, with this approach to semantics, the language of schemes that 
produce at least one head symbol is not dehnable by automata with trivial conditions. Let 
us note that this problem disappears once we consider Biichi conditions as they permit 
one to detect an inhnite unproductive execution. So here we look at a particular class 
of properties expressible by Biichi conditions. In summary, the problem we address is a 
non-trivial extension of what is usually understood as verihcation of safety properties for 
recursive schemes. 

Our starting point is the proof that the usual methods for treating the safety properties 
of higher-order schemes cannot capture the properties described with insightful automata. 
The first result of the paper shows that extremal hxpoint models can only capture boolean 
combinations of 0-blind TAC automata. Our main result is the construction of a model 
capturing insightful automata. This construction is based on an interpretation of the hxpoint 
operator which is neither the greatest nor the least one. The main difhculty is to obtain a 
dehnition that guaranties the existence and uniqueness of the hxpoint at every type. 

In our opinion, providing models capturing certain classes of properties is an important 
problem both from foundational and practical points of view. On the theoretical side, 
models need to handle all the constructions of the A-calculus while, for example, the type 
systems proposed so far by Kobayashi |Kob09b| . and by Kobayashi and Ong |KO09] do 
not cater for A-abstraction. Moreover, in op. cit. the treatment of recursion is performed 
by means of a parity game that is not incorporated with the type system. In contrast, we 
interpret the Y combinator as an element of the model we construct. On the practical side, 
models capturing classes of properties set the stage to dehne algorithms to decide these 
properties in terms of evaluating A-terms in them. One can remark that models offer most 
of the algorithmic advantages of other approaches. As illustrated by [SMGBl^ . the typing 
discipline of [KobDhb] can be completely rephrased in terms of simple models. More generally, 
model theoretic methods based on duality offer ways to transform questions about the value 
of AY-terms in models into typing problems. Such methods have been largely explored 
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in |Abr91| . This approach should allow one to transfer the algorithms based on types to the 
approach based on models. This practical interest of models has been made into a slogan by 
Terui |Terl2j : better semantics, faster computation. To substantiate further the interest of 
models we also present a straightforward transformation of a scheme to a scheme reflecting a 
given property [BCOSIO] . From a wider perspective, the model based approach opens a new 
bridge between the A-calculus and model-checking communities. In particular, the model 
we construct for insightful automata brings into the front stage particular non-extremal 
fixpoints. To our knowledge these have not been studied much in the A-calculus literature. 

Related work The model checking problem has been solved by Ong |Ong06| and subse¬ 
quently revisited in a number of ways [HMOSO^ IKOOQl ISWll) . A much simpler proof for 
the same problem in the case of fl-blind TAG automata has been given by Aehlig [Aehf)7] . 
In his influential work, Kobayashi [Kob09bl IKobn9a[ IKobn9cj has shown that many interest¬ 
ing properties of higher-order recursive programs can be analyzed with recursive schemes 
and fl-blind TAG automata. He has also proposed an intersection type system for the 
model-checking problem. The method has been applied to the verification of higher-order 
programs [Kohllj . Another method based on higher-order collapsible pushdown automata 
uses invariants expressed in terms of regular properties of higher-order stacks that is close in 
spirit to intersection types [BGHSl^ . Let us note that at present all algorithmic effort concen¬ 
trates on H-blind TAG automata. Ong and Tsukada [OT12) provide a game semantics model 
corresponding to Kobayashi’s style of type system. Their model can handle only 0-blind 
automata, but then, thanks to game semantics, it is fully abstract. In recent work |T014j 
they extend this method to all parity automata. The obtained model is infinitary though. 
We cannot hope to have the full abstraction in our approach using simple constructions; 
moreover it is well-known that it is in general not possible to effectively construct fully 
abstract models even in the finite case |Loa01j . In turn, as we mention in [Wall2] and 
show here, handling H-blind automata with simple models is straightforward. The reflection 
property for schemes has been proved by Broadbent et. al. [BGOSIO] . Haddad gives a direct 
transformation of a scheme to an equivalent scheme without divergent computations [Hadl2| . 

Organization of the paper The next section introduces the objects of our study: XY- 
calculus and automata with trivial acceptance conditions (TAG automata). In Section]^ 
we present the correspondence between models of XY with greatest fixpoints and boolean 
combinations of H-blind TAG automata. In Section]^ we give the construction of the model 
for insightful TAG automata. The last section presents a transformation of a term into a 
term reflecting a given property. 


2. Preliminaries 

The two basic objects of our study are: AH-calculus and TAG automata. We will look at 
AP-terms as mechanisms for generating infinite trees that are then accepted or rejected by 
a TAG automaton. The definitions we adopt are standard ones in the A-calculus and in the 
automata theory. The only exceptions are the notion of a tree signature used to simplify the 
presentation, and the notion of H-blind/insightful automata that are specific to this paper. 
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2.1. Ay-calculus and models. The set of types T is constructed from a unique basic type 0 
using a binary operation —Thus 0 is a type and if a, (3 are types, so is (a —)• /3). The order 
of a type is defined by: order{t)) = 0, and order{a —)> /?) = max{l + order{a), order{j3)). 
We assume that the symbol —)• associates to the right. More specifically we shall write 
ai —)>•••—)> On —>■ /3 so as to denote the type (oi —)>(... (on-i —^ (ctn —>■ /?)) •••))• 

A signature, denoted S, is a set of typed constants, i.e. symbols with associated types 
from 7”. We will assume that for every type a ^ T there are constants w", 11" and 
A constant will stand for a fixpoint operator. Both w" and will stand for 

undefined terms. The reason why we need two different constants to denote undefined terms 
is clarified in Section HI 

Of special interest to us will be tree signatures where all constants other than Y, u and 
0 have order at most 1. Observe that types of order 1 have the form 0* —?■ 0 for some i; the 
latter is a short notation for 0—)-0 —)••••—t-O—t-O, where there are i + 1 occurrences of 0. 

Proviso: to simplify the notation we will suppose that all the constants in a tree 
signature are either of type 0 or of type 0 —)■ 0 —)• 0. So they are either a constant of the 
base type or a function of two arguments over the base type. This assumption does not 
affect the results of the paper. 

The set of simply typed X-terms is defined inductively as follows. A constant of type a. 
is a term of type a. For each type a there is a countable set of variables x",y",... that 
are also terms of type a. If M is a term of type j3 and x" a variable of type a then Ax".M 
is a term of type a ^ (3. Finally, if M is of type a ^ ft and is a term of type a then 
MN is a term of type ft. We shall use the usual convention about dropping parentheses 
in writing A-terms and we shall write sequences of A-abstractions Axi.... Xxn-M with only 
one A: Axi ... Xn-M. Even shorter, we shall write Xx.M when x stands for a sequence of 
variables. 

The usual operational semantics of the A-calculus is given by /3-contraction. To give 
the meaning to fixpoint constants we use h-contraction (— 7 - 5 ). Of course those rules may be 
applied at any position in a term: 

{Xx.M)N M[N/x\ YM -^s M{YM). 

We write for the /3h-reduction, the reflexive and transitive closure of the sum of the 
two relations (we write for its transitive closure). This relation defines an operational 
equality on terms. We write =^5 for the smallest equivalence relation containing —>-^ 5 . It is 
called ft6-conversion or /36-equality. Given a term M = Xxi... Xn-NoNi... Np where No is 
of the form (Xx.P)Q or YP, then A^o is called the head redex of M. We write M NP 
when M' is obtained by /lA-contracting the head redex of M (when it has one). We write 
—and —)•))/ respectively for the reflexive and transitive closure and the transitive closure of 
—)-/j. The relation —is called head reduction. A term with no head redex is said to be in 
head normal form. 

Thus, the operational semantics of the AT-calculus is the /3h-reduction. It is well-known 
that this semantics is confluent [Sta04] and enjoys subject reduction {i.e. the type of terms 
is invariant under /3(5-reduction). So every term has at most one normal form, but due to 
(5-reduction there are terms without a normal form. A term may not have a normal form 
because it does not have head normal form, in such case it is called unsolvable. Even if 
a term has a head normal form, i.e. it is solvable, it may contain an unsolvable subterm 
that prevents it from having a normal form. Einally, it may be also the case that all the 
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subterms of a term are solvable but the reduction generates an infinitely growing term. It is 
thus classical in the A-calculus to consider a kind of infinite normal form that by itself is an 
infinite tree, and in consequence it is not a term of the Ay-calculus |Bar84l FACOSj . This 
infinite normal form is called a Bohm tree. 

A Bohm tree is an unranked, ordered, and potentially infinite tree with nodes labeled 
by terms of the form Axi.... x„.iV; where is a variable or a constant and n > 0 (so, in 
particular, the sequence of A-abstractions may be empty). So for example Ax'^.o;'^ 

are labels, but X'lf'. is not. 

Definition 2.1. A Bohm tree of a term M is obtained in the following way. 

• If M Xx.NqNi ... Nk with Nq a variable or a constant then BT{M) is a tree having 
root labeled by Xx.Nq and having BT{Ni), ..., BT{Nk) as subtrees. 

• Otherwise BT{M) = fl", where a is the type of M. 

Observe that a term M without the constants O and w has a /3h-normal form if and 
only if BT{M) is a finite tree without the constants and oj. In this case the Bohm tree is 
just another representation of the normal form. Unlike in the standard theory of the simply 
typed A-calculus we will be rather interested in terms with infinite Bohm trees. 

Recall that in a tree signature all constants except Y, O, and w are of type 0 or 
0 —)• 0 —)• 0. A closed term without A-abstraction and Y over such a signature is just a finite 
binary tree, where constants of type 0 occur at leaves, and constants of type 0 —)• 0 —)■ 0 are 
in the internal nodes. The same holds for Bohm trees: 

Lemma 2.2. If M is a closed term of type 0 over a tree signature then BT(M) is a 
potentially infinite binary tree. 

We will consider hnitary models of the AT-calculus. In the first part of the paper we will 
concentrate on those where Y is interpreted as the greatest fixpoint. The models interpreting 
y as least fixpoints are dual and capture the same class of properties as the models based 
on greatest fixpoints for interpreting the Y combinator. 

Definition 2.3. A GFP-model of a signature S is a tuple S = {{Sof}a&T) p) where Sq is a 

finite lattice, called the base set of the model, and for every type a ^ ft & T, is the 

lattice mon[5Q —>■ cS/j] of monotone functions from Sa to 5/3 ordered coordinatewise. The 
valuation function p is required to satisfy certain conditions: 

• If c G S is a constant of type a then p{c) is an element of Sa. 

• For every a G T, both /9(w“) and are the greatest elements of Sa. 

• Moreover, is the function assigning to every function / G Sa^a its greatest 

fixpoint. 

Observe that every Sa is hnite and is thus a complete lattice. Hence all the greatest hxpoints 
exist without any additional assumptions. 

A variable assignment is a function v associating to a variable of type o. an element of 
Sa. If s is an element of Sa and x“ is a variable of type a then v[s/x°^] denotes the valuation 
that assigns s to x" and that is identical to v everywhere else. 

The interpretation of a term M of type a in the model 5 under the valuation v is an 
element of Sa denoted |M]^. The meaning is defined inductively: 

• = p{c) 

• = ^( 2 ^") 

. |MA1^ = iMl^dAl^) 
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• |Ax“.M]^ is a function mapping an element s G to ^ that by abuse of notation 

we may write 

It is well-known that the interpretations of terms are always monotone functions. We refer 
the reader to |AC98| for details. As usual, we will omit subscripts or superscripts in the 
notation of the semantic function if they are clear from the context. 

Of course a GFP model is sound with respect to /3h-conversion. Hence two /3<5-convertible 
terms have the same semantics in the model. For us it is important that a stronger property 
holds: if two terms have the same Bohm trees then they have the same semantics in the 
model. For this we need to formally define the semantics of a Bohm tree. 

The semantics of a Bohm tree is defined in terms of its truncations. For every n G N, 
we denote by BT{M) the finite term that is the result of replacing in the tree BT{M) 
every subtree at depth n by the constant of the appropriate type. Observe that if M is 
closed and of type 0 then a will always be the base type 0. This is because we work with a 
tree signature. We define 

lBT{M)rs = f\{lBT{M)U}s I n G N}. 

The above definitions are standard for AT-calculus, or more generally for PCF |AC98j . 
In particular the following proposition, in a more general form, can be found as Exercise 
6 .1.8 in op. cilQ 

Proposition 2.4. If S is a finite GFP-model and M is a closed term then: |M]^ = 
lBT{M)j^. 

Observe that O is used to denote divergence and io is used in the definition of the 
truncation BT{M) fn- In GFP-models this is irrelevant as the two constants are required to 
have the same meaning. Later we will consider models that distinguish those two constants. 


2.2. TAG Automata. Let us fix a tree signature E. Recall that this means that apart 
from CO, n and Y all constants have order at most 1. According to our proviso from page|^ 
all constants in E have either type 0 or type 0 —?■ 0 —)• 0. In this case, as we only consider 
closed terms of type 0, by Lemma 2.2, Bohm trees are potentially infinite binary trees. Let 
Eq be the set of constants of type 0, and E 2 the set of constants of type 0 —)• 0 —)■ 0. 


Definition 2.5. A finite tree automaton with trivial acceptance condition (TAG automaton) 
over the signature E = Eq U E2 is 

A = (g, E, G g, ho: g X (Eq u {o}) ^ {jj, tt},62 : g x E2 ^ p(g2)) 

where g is a finite set of states and G g is the initial state. The transition function of 
the TAG automaton may be subject to the additional restriction: 

fl-blind: 6o{q, fl) = tt for all q £ Q. 

An automaton satisfying this restriction is called H-blind. For clarity, we use the term 
insightful to refer to automata without this restriction. 

^In this paper we work with models built with finite lattices and monotone functions which are a particular 
case of the directed complete partial order and continuous functions used in |AC98| . We also use GFP models 
while [AC98j uses least fixpoints, but the duality between those two classes of models makes the proof of the 
proposition similar in the two cases. 
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Automata are used to define languages of possibly infinite binary trees. More specifically, 
an automaton over E shall define a set of E-labelled binary trees. These trees are partial 
functions t : {1, 2}* —)■ E U {fl} such that their domain is a binary tree: (i) if uv is in the 
domain of t then so is u, (ii) if u is in the domain of t and t{u) is in E 2 then ul and u2 are 
in the domain of t, (iii) if u is in the domain of t and t{u) G Eq U {fl} then u is called a leaf, 
and if uv is in the domain of t then v is the empty string. 

A run of A on t is a mapping r : {1, 2}* —)■ Q with the same domain as t and such that: 

• r{e) = q^, here s is the root of t. 

• {r{ul),r{u2)) G 52 {t{u),r{u)) if u is an internal node. 

A run is accepting if 6 o{r{u),t{u)) = tt for every leaf u oit . A tree is accepted by A if there 
is an accepting run on the tree. The language of A, denoted L{A), is the set of trees that 
are accepted by A. 

Observe that TAG automata have acceptance conditions on leaves, expressed with So, 
but do not have acceptance conditions on inhnite paths. For example, this implies that 
every run on an infinite tree with no leaves is accepting. This does not mean of course that 
TAG automata accept all such trees as there may be no run on a particular tree. Indeed it 
may be the case that S 2 (q, c) = 0 for some pairs (q, c). 

As underlined in the introduction, all the previous works on automata with trivial 
conditions rely on the fl-blind restriction. Let us give some examples of properties that can 
be expressed with insightful automata but not with fl-blind automata. 

• The set of terms not having in their Bohm tree. To recognize this set we take the 
automaton with a unique state q. This state has transitions on all the letters from E 2 . It 
also can end a run in every constant of type 0 except for Q: this means So(q, Q.) = jf and 
5o{q, c) = tt for all other c. 

• The set of terms having a head normal form. We take an automaton with two states q 
and qT- From qj- the automaton accepts every tree. From q it has transitions to qj on all 
the letters from E 2 , on letters from Eq it behaves as the automaton above. 

• Building on these two examples one can easily construct an automaton for a property like 
“every occurrence of Q is preceded by a constant err”. 

It is easy to see that none of these languages is recognized by any fl-blind automaton since 
if such an automaton accepts a tree t then it accepts also every tree obtained by replacing a 
subtree of t by fl. This observation also allows one to show that those languages cannot be 
dehned as boolean combinations of Il-blind automata. 

3. GFP MODELS AND H-BLIND TAG AUTOMATA 

In this section we show that the recognizing power of GFP models coincides with that of 
boolean combinations of fl-blind TAG automata. For every automaton we will construct a 
model capable of discriminating the terms accepted by the automaton. For the opposite 
direction, we will use boolean combinations of TAG automata to capture the recognizing 
power of the model. We start with the expected formal dehnition of a set of AT-terms 
recognized by a model. 

Definition 3.1. For a GFP model S over the base set Sq. The language recognized by a 
subset F C So is the set of closed AT-terms {M \ [M]^ ^ F}- 
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We need to introduce some notations that we shall use in the course of the proofs. Given 
a closed term M of type 0, the tree BT{M) can be seen as a binary tree t : {1,2}* —)• S. For 
every node v in the domain of t, we write for the subtree of t rooted at node v. The tree 
BT{M)]^k is a prefix of this tree containing nodes up to depth fc, denote it tk (c.f. dehnition 
on page|^. It has three types of leaves: “cut leaves” are at depth k and are labelled by uj, 
“non-converging leaves” labelled by 0, and “normal leaves” labelled by a constant of type 0. 
Every node v in the domain of tk corresponds to a subterm of BT{M) ],k that we denote 
M^. In particular is BT{M)lk since e is the root of BT{M)lk- 

Proposition 3.2. For every Q-blind TAC automaton A, the language of A is recognized by 
a GFP model. 


Proof. For the model S_a in question we take a GFP model with the base set 5o = F{Q). 
This determines Sa for every type a. It remains to define the interpretation of constants 
other than w, 11, or Y. A constant c of type 0 is interpreted as a set {q \ 5o{q,c) = tt}. A 
constant a of type 0 — >• 0 — )■ 0 is interpreted as a function whose value on {Sq, Si) G 'P(Q)^ 
is {q I 52{q,a) (1 Sq x Si A 0}- Finally, for the set Fyi used to recognize L{A) we will take 
(5 I G S'}; recall that is the initial state of A. We want to show that for every closed 
term M of type 0: 

BT{M) G L{A) iff [Ml G F^. 

For the direction from left to right, we take a AF-term M such that BT( M) G L{A), and 
show that q^ G IBT{M)J. This will do as |i?r(M)] = [M] by Proposition |2.4[ Recall that 
[RT(M)] = /\{lBT{M)fkl I A; = I, 2,... }. So it is enough to show that G lBT{M)fkl 
for every k. 

Let us assume that we have an accepting run r of A on BT{M). By induction on the 
height of V in the domain of BT{M)fk we show that r{v) G |M^]. The desired conclusion 
will follow by taking v = e; that is the root of the tree. If u is a “cut leaf” then is 
io^. So r{v) G [cu*^] since |a;°] = Q. If u is a “non-converging leaf”, then is 12° and 
riv) G Q = [1201. If u is a “normal” leaf then Mjf is a constant c of type 0. We have 
r{v) G {q : 6{q,c) = tt}. If v is an internal node then Mjf = By induction 

assumption r{vl) G [M^^^] and r{v2) G [M^ 2 l- Hence by definition of p{a) we get 

r(u)G[Mj=p(a)([M^J,[M^2l). 


For the direction from right to left we take a term M and a state q G |M|. We construct 
a run of A on BT{M) that starts with the state q. So we put r{s) = q. If M has no head 
normal form BT{M) = 12 and, using Proposition 2.4, the conclusion is immediate as the 
automaton is f2-blind. If M has as head normal form a nullary constant a, the conclusion 
follows from the definition [a]. Now if M has as head normal form aMiM 2 , by definition 
of |a], there is {qi,q 2 ) in d{q,a) so that qi G |Mi] and q 2 G [M 2 ].We repeat the argument 
with the state qi from node I, and with the state q 2 from node 2. It is easy to see that this 
gives an accepting run of A on BT{M). □ 


As we are now going to see, the power of GFP models is characterized by f2-bhnd TAC 
automata. We will show that every language recognized by a GFP model is a boolean 
combination of languages of f2-bhnd TAC automata. For the rest of the subsection we fix a 
tree signature S and a GFP model S = {{Safa&T-: p) over S. 

We construct a family of automata that reflect the model S. We let Q be equal to the 
base set Sq of the model. We define do '■ Q x (Sq U {12}) —>• (ff, tt} and 62 ■ Q xT ,2 
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to be the functions such that: 

6 o{q,a) =tt iff q < p{a) (in the order of 5o) 

h{q,a) ={{qi,q2) \ q < p{a){qi,q2)}- 

For q in Q, we define Aq to be the automaton with the starting state q and the other 
components as above: 

Aq = {Q,T.,q, 60 , 61 ) ■ 

We have the following lemma: 


Lemma 3.3. Given a closed X-term M of type 0; BT{M) G L{Aq) iff q < {Mj. 


Proof. We start by showing that if Aq accepts BT{M) then q < |M]. Proposition 2.4 reduces 
this implication to proving that q < [i?T(M)]. Since lBT{M)j = /\{[i?T(M)|A: G N}, 
we need to show that for every k > 0, q < IBT{M) Fix an accepting run r of Aq on 
BT{M). We are going to show that for every v in the domain of BT{M) r{y) < |M^]. 
This will imply that r(e) = q < lBT{M)jlk. 

We proceed by induction on the height of v. In case u is a “cut leaf” (or a “non¬ 
converging” leaf) then Mif is co^ (or and is the greatest element of 5o so that r(u) 

is indeed smaller than |M^]. In case u is a “normal leaf” then is a constant c of type 0. 
Since r is an accepting run, we need to have, by definition, r{v) < p{c) = |M^]. In case v 
is an internal node then by induction, we have that r{vi) < 

Moreover, because r is a run, we need to have r{v) < p{a){r{vl)){r{v2)), but since p{a) is 
monotone, and r{vi) < |M^J, we have p{a){r{vl)){r{v 2 )) < /o(a)(|M^^])([M.^ 2 l) = [-^^1- 
This proves, as expected, that r{v) < 

Now given q < |M] we are going to construct a run of Aq on BT{M). Recall that for a 
node V of BT{M) we use My to denote the subtree rooted in this node. Take r defined by 
r{v) = iMyJ for every v. We show that r is a run of the automaton Since q < [M], 

by the definitions of Jq and di, this run can be easily turned into a run of Aq. 

By definition r(e) = |M] = [Rr(M)]. In case u is a leaf c, then r{v) = p(c) and 
we have 6 o(c, p(c)) = tt. In case v is an internal node labeled by a, then, by definition 
{Myj = p{a){lMyij, |M^2l), so (|M^i], lMy 2 j) is in 6 i{a, {Myj). □ 

This lemma and Proposition |3.2| allow us to infer the announced correspondence. 

Theorem 3.4. A language L of X-terms is recognized by a GFP-model iff it is a boolean 
combination of languages of Xl-blind TAG automata. 


Proof. For the left to right direction take a model S and p £ Sq. By the above lemma we 
get that the language recognized by {p} is 

Lp = L{Ap) - [J{L{Aq) \ q£SoAqApXq<p} 

So given F included in So, the language recognized by F is (JpeE ^p- 

For the other direction we take an automaton for every basic language in a boolean 
combination. We make a product of the corresponding GFP models given by Proposition |3.2[ 
and take the appropriate F defined by the form of the boolean combination of the basic 
languages. □ 
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Using the results in |SMGB1^ . it can be shown that typings in Kobayashi’s type 
systems |Kob09b] give precisely values in GFP models. 


4. A MODEL FOR INSIGHTFUL TAG AUTOMATA 
The goal of this section is to present a model capable of recognizing languages of insightful 


TAG automata. Theorem 3.4 implies that the fixpoint operator in such a model can be 
neither the greatest nor the least fixpoint. In the hrst subsection we will construct a model 
that is a kind of composition of a GFP model and a model for detecting divergence. We 
cannot just take the product of the two models since we want the hxpoint computation in 
the model detecting divergence to influence the computation in the GFP model. In the 
second part of this section we will show how to interpret insightful TAG automata in such a 
model. 


4.1. Model construction and basic properties. We are going to build a model 1C 
intended to recognize the language of a given insightful TAG automaton. This model is built 
on top of the standard model T) for detecting if a term has a head-normal form. 

The model T) = p) is built from the two elements lattice T)q = {_L,T}. As 

we take the set of monotone functions from to T’/? ordered pointwise. So Da is 
a is hnite lattice, for every type a. We write -L^ and Tq, for the least, respectively the 
greatest, element of the lattice Da- We interpret t<;“ and as the least elements of Da, and 
as the least fixpoint operator. So P is a dual of a GFP model from Definition! 2.3 


The reason for not taking a GFP model here is that we would prefer to use the greatest 
fixpoint later in the construction. To all constants other than T, cj, and U the interpretation 
p assigns the greatest element of the appropriate type. The following theorem is well-known 
(cf |AG98j page 130). 


Theorem 4.1. For every closed term M of type 0 without u) we have: 

BT{M) = n iff [M1^ = T. 

We fix a finite set Q and its subset Qq C Q. Later these will be the set of states of a 
TAG automaton, and the set of states from which this automaton accepts O, respectively. 
To capture the power of such an automaton, we are going to define a model IC{Q, Qq) of the 
AU-calculus based on an applicative structure ICq^q^ = {ICa)aeT with a non-standard 
interpretation of the fixpoint. Roughly, this model will live inside the product of D and the 
GFP model S for an U-blind automaton. The idea is that JC{Q, Qn) will have a projection 
on D but not necessarily on S. This allows the model to observe whether a term converges 
or not, and at the same time to use this information in computing in the second component. 


Definition 4.2. For a given finite set Q and a set Qq C Q, we define a family of sets 
^Q,Qn ~ {^a)a^T by mutual recursion together with a logical relation L = {Ca)a&T such 
that La G fCa X Da'- 

(1) we let /Co = {(T, P) \ P C Q}\J {(_L, Qo)} with the order: (di. Pi) < {d 2 , P 2 ) iff di < d 2 
in Dq and Pi f P 2 - (cf. Figure [l]) 

(2) Lo = {{id,P),d)\{d,P)€lCo}, 

(3) ICa^fj = {/ G mon[/C„ ^ ICp] \ y[g,e)&c^- {f{ 9 ),d{e)) E Lp}, 

(4) La^p = {{f,d) E ICa^p X Da^p \ ^[g,e)&Co.- {f{9),d{e)) E Lp}. 
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(T,{1}) (T,{2}) 


(T,0) 


Figure 1: The order JCq for Q = {1, 2} and Qo = {1} 



Figure 2: Model T) is embeded into model JC via logical relation C. 

Figure shows the intuition behind the construction. Every JCa is finite since it lives 
inside the standard model constructed from Vq x V{Q) as the base set. Moreover, as we 
shall see later, for every a, JCa is a join semilattice and thus has a greatest element. The 
logical relation C will divide JCa into equivalence classes, one for every element of Va- Every 
equivalence class will also have semilattice structure. 

Recall that a TAG automaton is supposed to accept unsolvable terms from states Qq. 
So the unsolvable terms of type 0 should have Qq, as a part of their meaning. This is why T 
of Vq is associated to (T, Qn) in JCq via the relation Cq. This also explains why we needed 
to take the least fixpoint in V. If we had taken the greatest fixpoint then the unsolvable 
terms would have evaluated to T and the solvable ones to T. In consequence we would 
have needed to relate T with (T,Qq), and we would have been forced to relate T with 
(T,Q). But then (T,(5o) and (T,(5) are incomparable in JCq, and this makes it impossible 
to construct an order preserving injection from Vq to JCq. 

4.1.1. Structural properties of IC{Q, Qn). We are now going to present some properties of the 
partial orders JCa- The following lemma shows that for every type a, JCa is a join semilattice. 

Lemma 4.3. Given and (/ 2 ,d 2 ) in Ca, then fi V /2 is in JCa and (/i V / 2 ,di V d 2 ) 

is in Ca ■ 

Proof. We proceed by induction on the structure of the type. For the base type the lemma is 
immediate from the definition. For the induction step consider a type of a form a ^ (5 and 
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assume that /i and /2 in mon[/CQ, —)• /C^]. Since, by induction, is a join semilattice, we 
have that /i V /2 is also in mon[/CQ, —)• /C^]. By the assumptions of the lemma, for every {p, e) 
in Ca we have (/i(p),di(e)) and (/ 2 (p),d 2 (e)) in Cp. The induction hypothesis implies that 
(flip) V / 2 (p),di(e) V d 2 {e)) is in C^. As by induction hypothesis is a join semilattice, 
we get (/i V / 2 )(p) = /i(p) V f 2 {p) is in fC^. Thus ((/i V / 2 )(p), (di V (i 2 )(e)) is in Cp. Since 
(p, e) G Ca was arbitrary this implies that /i V /2 is in and (/i V / 2 ,di V ^ 2 ) is in 

A consequence of this lemma and of the finiteness of is that JCa has a greatest 
element that we denote T^. The lemma also implies the existence of certain meets. 


Corollary 4.4. For every type a and fi, f 2 in JCa- If there is g € fCa such that g < fi and 
9 Ik f 2 then fi and f 2 have a greatest lower bound /i A / 2 . Moreover, if (/i, di) and (/ 2 , ^ 2 ) 
are in then (/i A / 2 , di A ^ 2 ) is in Ca- 


Proof. Let F = {g £ JCa \ g < fi and g < / 2 }. As JCa is finite, the set F is finite. An 
iterative use of Lemma 4.3 shows that \J F exists and is in JCa- It is then straightforward to 
see that \J F is indeed the greatest lower bound of /i and / 2 . 

Now as Da is a complete lattice, we also have that di A d 2 exits. Then a similar 
induction as in the proof of Lemma 4.3 shows that when (/i, di) and (/ 2 , (^ 2 ) are in Ca, then 
(/i A / 2 , di A d 2 ) is in Ca- □ 

We are now going to show that every constant function of vnonfJCa JCp] is actually in 
Ha^fi - 


Lemma 4.5. For every q in JCp, the constant function Cq £ moidJCa —)• JCp] assigning q to 
every element of JCa is in JCa^p- 

Proof. To show that Cg is in JCa^p, we need to find hg in Va^p such that for every (p, e), 
(cq(p), hg{e)) is in Cp. Since q is in JCp, there is d such that {q, d) is in Cp. It suffices to take 
hg to be the function of Va^p such that for every e in Va, hq{e) = d. □ 

As one easily observes that for every p £ JCa, Ta^p{p) = a consequence of this 
lemma is that (Tq,Tq,) is in Ca for every a. 

This lemma allows us to define inductively on types the family of constant functions 
(ia) o-gT" as follows: 

(1) Xo = (T,Qo), 

(2) ±a^p{h) = Mp for every h in JCa- 

Notice that is a minimal element of JCa, but JCa does not have a least element in general. 


4.1.2. Galois connections between JCa and Fa- In this part, we wish to show that the relation 
Ca is indeed defining an injection from JCa to Va that we shall denote with (“). Moreover, 
we are going to define a mapping (•)! from Va to JCa so that (“) and (•)! define a Galois 
connection between JCa and Va- This Galois connection plays a key role in allowing the 
model to track convergence and, thus, in the definition of the interpretation of fixpoints in 
the model. We shall also see that both (”) and (•)! commute with application. 

So as to define this Galois connection, we need to introduce the notion of H-completeness 
of types. This notion imposes some basic properties that allow ns to construct both (”) and 
(•)!. Our goal is to establish that every type is P-complete. 
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For every d in Pq, we denote by the set of elements of JCa that are related to it: 

Ld = {p ^ K,a \ (p, d) G Ca}. 

Definition 4.6. A type a is D-complete if, for every d in Da. 

(1) Ld IS not empty, 

(2) < V Ld, 

(3) for every (/, e) in f < \/ Ld iS e < d. 

Later we will show that every type is P-complete, but for this we will need some 
preparatory lemmas. 

Lemma 4.7. If a is a D-complete type and d is in Da then (\/ Ld, d) is in La- 


Proof. Since a is H-complete, Ld is not empty, and the conclusion follows directly from 
Lemma |4.3| D 

Lemma 4.8. If a is a D-complete type, and d,e G Da then: e < d iff \/ L^. <\/ Ld. 


Proof. As a is H-complete both Lg and Ld are not empty and therefore, V Lg and V Ld are 
well-defined. Lemma 4.7 also gives that (V Lg,e) is in La- Now from D-completeness of a, 
we have that \/ L^ < \/ Ld iS e < d- D 


The next step is to define the operation (•)^ that, as we will show later, is an embedding 
of D into JC- For this we need the notion of co-step functions that are particular functions 
from a partial order Li to a partial order L 2 , the latter having the greatest element T 2 . 
Given two elements p in Li and q in L 2 , the co-step function p q is a function from 
mon[Li —)• L 2 ] such that for r in Li, 


{p / q){r) 


q when r < p 
T 2 otherwise . 


Definition 4.9. Let a, /3 be P-complete types. For every h G Da^p and every d G Da we 
define two monotone functions and the element hf: 

fh,d = \l Ld/^M Lh^dp lh^d = d^h{d), 

h^= /\ fh,d - 

d&V 

For h in Dq, we dehne hf to be (_L, Qq) when h = _L, and to be (T, Q) when /i = T. 


The next lemma summarizes all the essential properties of the model fC- 


Lemma 4.10. For all D-complete types a, f3, for every h G Da-^p and every d G Da: 

( 1 ) {fh,dJh,d) is in La^p; 

( 2 ) ±a^p < fh,d; 

(3) hf is an element of K-a^p and {h^,h) G La^p; 

(4) if {p, e) G La then h'^{p) = V ^^(g); 

(5) hf = yLh- 


Proof. For the first item we take (p, e) 
be sufficient by the definition of La^p - 


G La , 
Lemma 


and show that {fh,d{p), /h,d(e)) ^ This will 
gives (V Ld, d) G La and (V Th(d), K^)) e 


4.7 


Lp- By P-completeness of a: p < V Td iff e < d. We have two cases. If p < V Td then 
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fhAp) = M Lh{d) and fhA^) = Hd)- Otherwise, p ^ M gives fh,d{p) = and 
fh di^) — ~^i3- With the help of Lemma 4.7 in both cases we have that the result is in 


and we are done. 

For the second item, by ^-completeness of f3 we have V Lh(d) > -lL/ 3 - In the proof of the 
first item we have seen that fh,d{p) — V d^h{d) lor every p G JCa- Since JL^^Ap) = -L/j we 
get Xa^/3 < fh,d- 

In order to show the third item we use the first item telling us that {fh,e,fhe) is in 
for every e G Since by the second item < fh^e, Corollary 4.4 shows that 
(AesDc fh,e,/\eeVa fh,e) is in Directly from the definition of co-step functions we 

have AesDc ® ^ Ae) = h. This gives, as desired, (AesD^ fh,e, h) in Ca^/S- 

For the fourth item, take an arbitrary (p, e) G £q,. We show that A{p) = \J 
By definition A{p) = Ae'&v^ fh,e'{p)- Moreover fh,e'{p) = M Lh(e') if P < M LeG and 
fh,e'{p) = otherwise. By D-completeness of a: p < \/ L^./ iff e < e'. So A{p) = 
Ae'&Vc,fh,e'ip) = A{V-I^h(e') : e < c'}. By Lemma [48} if e < e' then V ^h(e) < M Lh{e')- 
Hence A{p) = V Th(e)- 

For the last item we want to show that A = \J L^. We know that A G = {g G 
KLa^jd : {g,h) £ since {A,h) £ by the third item. We show that for every 

g ^ Lh, g < hi. Take some (p, e) G £«. We have {g{p), h{e)) G Cp, hence g{p) < V Lh{e) by 
definition of Since hl(p) = \J by the fourth item, we get g < A. □ 

Lemma 4.11. Every type a is 'D-complete. 


Proof. This is proved by induction on the structure of the type. The case of the base 
type follows by direct examination. For the induction step con sider a type a —)• /3 and 

gives that (cA, d) is 


4.10 


suppose that a and /3 are D-complete. Given d in Va^p, Lemma 
in Ca^p proving that / 0, it also gives that 1 -a^p < df and df = \/ L^, so we obtain 
< V Lrf. It just remains to prove that for every (/, e) in Ca^p: / < V iff e < d. 


We first remark that, as by induction hypothesis, a and /? are D-complete, by Lemma 4.10 
(items (4) and (5)), for every (p, e') G £a we have: 

V ^d(e') = d^(p) = (^\/ Ld 

Let’s first suppose that e < d. Take a p G /C 

that (p, e') G Dq. As a is D-complete, Lemma 4.8 gives us V Lg(g/) < \/ Ld[e')- By definition 


(p) (4.1) 

By definition of the model there is e' , such 


of C-oL^p we have that {f{p), e(e')) G Cp, so /(p) < V Lg(g/) by definition of This gives 

/(p) < V Le{e') < V Ld(e')- Finally Equation (|4.ip shows the desired /(p) < (V Ld) (p) for 
every p G ICa ■ 

Let us now suppose that f <\J Ld- The D-completeness of a tells us that for every e' in 
Va there is p in Ka so that (p, e') is in Ca- Then Equation (4.1 ) gives /(p) < (V Ld) (p) = 
y Ld(^e')- Now, as by induction f3 is D-complete, the fact that (/(p),e(e')) G Cp entails 
e{e') < d{e'). As P was arbitrary we obtain e < d. O 


The proposition below sums up the properties of the embedding (•)! from Definition 


4.9 


Proposition 4.12. Given a type a, and d in Dq,, the element df from /Cq, is such that: 

(1) (d'.d) is in Ca, 

(2) if e G Va and d < e then df < e^, 

(3) if if,d) is in Ca, then f < df, 
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(4) if a = a\ ^ a 2 and {g,e) is in Ca^ then d^{g) = ((i(e))^ 


Proof. These properties follow directly from Lemma [4.10[ except for the second proper ty for 
which a small calculation is needed. Since (cT^, d) is i n Ca and d < e then by Lemma 4.10 
df <\/ L^. The latter is precisely by Lemma 


4.10 


□ 


In particular, in combination with item 3 of Lemma |4.10| , this proposition shows that 
the operator (•)"'' commutes with the application: df{e^) = (d(e))^. 

The next lemma shows that the relation is functional. 


Lemma 4.13. For every type a and f in JCa-' if {f,di) and ( 7 ,^ 2 ) are in Ca, then di = d 2 . 

Proof. We proceed by induction on the structure of the type. The case of the base type 
follows from a direct inspection. For the induction ste p sup pose that both (/, di) and ( 7 ,^ 2 ) 


are in Ca^p. Take an arbitrary e G Va- By Lemma 


4.10 


we have (e^,e) G Therefore 


(7(e^),di(e)) and {f{e^),d 2 {e)) in Cp. The induction hypothesis implies that di(e) = d 2 {e). 
Since e was arbitrary we get di = ^ 2 - D 


Since, by definition, for every f G /Cq, we have (7, d) G Ca for some d G Va, the above 
lemma gives us a projection of Ka to Va- For this we re-use the notation we have introduced 
in Definition 14.91 

Definition 4.14. For every type a and f G JCa we let f be the unique element of Pa such 
that (7,7) G Ca. 

Notice that cfl = d for every d in Va, since (d^,d) is in Ca by Proposition 
We immediately state some properties of the projection. We start by showing that it 
commutes with the application. 

Lemma 4.15. Given f in JCa^p and p in JCa, f{p) = f{p)- 

Proof. We have (7,7) ia Ca-^p and {p,p) in Ca, so that {f{p),fifp)) is in C^ and thus 

W)=7{p)- □ 

Lemma 4.16. Given f and g in JCa, if f < g then f <g. 


4.12 


Proof. We proceed by induction on the structure of the types. The case of the base type 
follows by a straightforward inspection. For the induction step take f < g in JCa^p. For 
an arbitrary d G Va we h ave 7 (d^) < fi'(d^)- By induction hypothesis on type fd we get 
7(d^) < <7(d^). By Lemma 4.15 we obtain f{df) = f{df) = f{d). The last equality follows 

(d^,d) is in Ca by Proposition 


By Lemma 4 
from the fact that df = d since 


4.12 


Of course the same 

equalities hold for g too. So 7(d) < g{d) for arbitrary d, and we are done. □ 

Taking an abstract view on the operations (•)^ and (•), we can summarise all the 
properties we have shown as follows: 


Corollary 4.17. For the models V and JC as defined above. 

(1) Mapping (•)f is a functor from V to JC. 

(2) Mapping (•) is a functor from JC to V. 

(3) At every type both mappings are monotonous and moreover they form a Galois connection 
in the sense that f < d iff f < S. 

(4) The pair (•), (•)"'^ forms a retraction: df = d. 
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4.1.3. Interpretation of fixpoints. We are now going to give the definition of the interpretation 
of the fixpoint combinator in 1C. This definition is based on that of the fixpoint operator in 
V. We write fixa for the operation in that maps a function of Va^a to its least 

fixpoint. 


Lemma 4.18. Given f in JCa^a; we have /(fixa(/)t) < fixo(/)t. 


Proof. By proposition 4.12, (fixQ(/)t, fixa(/)) is in £q,. Moreover, as (/,/) is in Ca^a, by 


dehnition of we have (/(fixaj/)t),/(fix^(/))) = (/(fixo(/)t), fixo(/)) is in Then 

by Proposition 4.12 we get /(fixQ,(/)t) < fixQ,(/)t. □ 


The above lemma guarantees that the sequence /"'(fixQ(/)t) is decreasing. We can now 
define an operator that, as we will show, is the fixpoint operator we are looking for. 


Definition 4.19. For every type a and / G ICa define 

Fix„(/) = /\ (/^(fix„(7)t)) . 


neN 


We show that FixQ, is monotone. 

Lemma 4.20. Given f and g in ICa^a; if f < 9 then FixQ,(/) < FixQ,(g'). 

f < g implies / < g, as fix^ is monotone, we have fixQ,(/) < Hxaijj) 


4.16 


Proof. By Lemma ^_ 

and fixQ,(/)t < fix7(^ by Proposition 4.12 As f < g we have /*^(fixQ,(/)t) < g^(fixa{g)^) 
for every k in N. Therefore < AneN □ 

The last step is to show that Fix^ is actually in 

Lemma 4.21. For every a, Fix^ is in ICa and (Fixa, fixo.) is in C(^a^a)^a- 


4.18 


Proof. We know that (/,/) in Ca^a- As we have seen in the proof of Lemma 
(/(fixa(/)’''), fixQ,(/)) is in Using repeatedly the defining properties of Ca^a, we obtain 
that for every n G N, (/"■ (fixc(/)'''), fixQ(/)) is in Ca. But /”'(fixQ(/)'^) is decreasing by 
Lemma 4.18 Since JCa is finite, we get (A„gN/"'(fixQ(/)^), fixQ(/)) in Ca- We are done 
since AneN = Fix„(/). □ 


4.1.4. A model 


of the XY-calculus. We are ready to define the model we were looking for. 


Definition 4.22. For a finite set Q and its subset Qq C Q consider a tuple JC{Q, Qq, p) = 
({AojagT-, p) where {lCa}a&T is as in Definition 4.2 and p is a valuation such that for every 
type a: oj°‘ is interpreted as the greatest element of /Ca, ig interpreted as Fix^, 

and D" is interpreted as 


Notice that, according to this definition, D*’ is interpreted as (X,Qn)- So the semantics 
of Q and u are different in this model. Recall that Cl is used to denote divergence, and tv 
is used in the definition of the truncation operation from the semantics of Bohm trees (cf. 
page[^. 

We will show IC{Q,Qfi, p) is indeed a model of the AT-calculus. Since ICa^p does not 
contain all the functions from ICa Co 1Cp we must show that there are enough of them to 
form a model of AT, the main problem being to show that |Aa:.M]^ defines an element of 
1C. For this, it is sufficient to prove that constant functions and the combinators S and K 
exist in the model. 
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Lemma 4.23. For every sequence of types a = oi... a. 
following: 

• For every constant p G Kg the constant function /p : ai —)>•••—)> — 

• For i = I,... ,n, the projection vTi : ai —)••••—)> cin —>■ Oi belongs to 1C. 

• If f : a ^ {/3 ^ and g : a ^ (I are in K, then Xp.fp{gp) : a ^ j is in 1C. 


and every types f3, ■y we have the 
j3 belongs to 1C. 


Proof. The first item of the lemma is given by Lemma [4.5[ the second does not present more 
difficulty. Finally, the third proceeds by a direct examination once we observe the following 
property of IC{Q, Qn, p). Given two elements / of mon[/CQ,j —)••••—)• mon[/CQ^ —)> ICp]] and g 
of —s- ; 


then / is in 1 C, 


if for every di, ..., dn in ICa.,, ■ ■ ■, ICa„, (/(di, • • .,dn),g{di,.. .,dn)) G Cp 


Ql- 


and (/, g) is in C 


Ql- 


p. This observation follows directly 

□ 


from Proposition 4.12 and the definition of the model. 

The above lemma allows us to define the interpretation of terms in the usual way: 

• = Fix^ 

• Hv = p(«) 

• 

• = T/3 

. iMNjl = iMjimi) 

• |Ax“.M]^(a) = for every a G ICa. 

We need to check that for every valuation v and every term M of type a, |M]^ is indeed in 
ICa. For this we take a list of variables ..., x""- containing all free varaibles of M, and 
we show that the function Api.. is in The proof is a 

simple induction on the structure of M. Lemma 4.21 and Lemma 4.23 ensure that this is 
the case when M = Y. For the other constants, a, to and 11, we use the fact that constant 
functions are in the model. The remaining cases are handled by Lemma 4.23 variable and 
application clauses use K and S combinators respectively. 

These observations allow us to conclude that IC{Q,Qq, p) is indeed a model of the 
AT-calculus, that is: 

(1) for every term M of type a and every valuation v ranging of the free variables of M, 
|M]^ is in ICa, 

(2) given two terms M and N of type a, if M =ps N, then for every valuation v, |M]^ = 

mi- 

Theorem 4.24. For every finite set Q and every set Qq C Q the model IC{Q, Qn, p) as in 
Definition \4.2S\ is a model of the XY-calculus. 

Let us mention the following useful fact showing a correspondence between the meanings 
of a term in 1C and in T>. The proof is immediate since {Ca}aeT is a logical relation 
(cf [ACnH]). 

Lemma 4.25. For every type a and closed term M of type a: 


([mi^,Imi^)g£, 
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4.2. Correctness and completeness of the model. It remains to show that the model 
we have constructed is indeed sufficient to recognize languages of TAG automata. For the 
rest of the section we fix a tree signature S and a TAG automaton 

.4= e : Q X Si ^ : Q x S 2 ^ ViQ^)) . 


We take a model /C based on IC{Q,Qn, p) as in Definition 4.22, where Qq is the set of 
states q such that 6 (q, O) = tt. It remains to specify the meaning of constants like c : 0 or 


o ; 0^ 


0 in S: 


P{c) =(T,{g : 6 {q,c) = tt}) 

p{a){di, Ri){d 2 , R 2 ) =0^,^) where di,d 2 G {-L,T} and 

R = {q e Q \ 6{q, a) n Ri X R 2 $} . 


Lemma 4.26. For every a in T, of type o^ — >■ o: p{a) is in and (/o(a), To 2 _^o) is in 

L 2 

Proof. It is easy to see that p{a) is monotone. For the membership in JC the witnessing 
function from Do^-s-o is To2^o- D 


Once we know that /C is a model we can state some of its useful properties. The first 
one tells what the meaning of unsolvable terms is. The second indicates how unsolvability is 
taken into account in the computation of a fixpoint. 


Proposition 4.27. Given a closed term M of type 0; BT{M) = iff \M\^ = (T, Qq). 


Proof. If = (T,Qq) then Lemma 4.25 gives us = T. By Theorem 4.1 this 

implies BT{M) = 

If BT{M) = then Theorem |4.l| entails that = T. By Lemma 4.25 T) 

is in Cq. But this is possible only if |M]^ = (T, Qn). □ 


Lemma 4.28. Given a type /3 = /3i /3z —>■ 0, a sequence of types a = oi,..., ctk, 

and a function f G consider the functions: 


h = Xpi.. .pk. 



g = Xei... ek.fixp{f{ei)... (cfc)) 


that are respectively in mon[/CQ,j mon[/Ccj, —)• /C^]] and in V^^p. Then h is in 

ICs^p and {h,g) is in C^^p. Moreover, for every pi G JCa^, ..., Pk ^ ICa,,, qi G ICp^,..., 
qi ^ K,Pi we have 


h{pi,... ,pk){qu ... ,pi) 


(T,Qq) if g{Pii... ,Pk){Qi, • • • >9z) = -L 
(T,Q) ifg{Pi, ■ ■ ■,Pk){Qi, ■ ■ -^Qi) = T ■ 


Proof. To prove that {h,g) is in C^^p, we resort to the remark we made in the proof of 
Lemma 4.23 so that it suffices to show that for every pi, ..., pk respectively in K, 


Oil ? 


/c, 


{h{pi,...,pk),giPi,...,Pk)) is in Cp. We have that h{pi,...,pk) = (&Qp{f{pi,... ,pk))^ 


Oik^ 

t 
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that is in and then 


/i(pi,... ,pk) 


fix„(/(pi,... ,pk)) 

fixo(/(|5i,... ,Pk)) by successive use of Lemma 4.15 
9{Pi,---,Pk) ■ 


This shows that {h,g) is in and thus h is in 

So as to complete the proof of the lemma, we first prove the following claim: for every 
for r in and qi, ..., Qn in ..., we have that: 

• = (T, Qn) iff (r(^,..., = (T, Qn), 

• ...,qn) = (T, Q) iff (r(^,..., = (T, Q). 


We first remark that, given r in from the fourth item of Proposition 4.12[ we 

have that whenever {q,e) is in C^, then r^{q) = (r(e))^, so that in particular r^{q) = (r(q))^. 
A simple induction shows then that, for r in 


r^{qi, ...,qn) = {r{qi,.. .,qn))'^ ■ 


Therefore if <5 = 0 and r(gi,..., qn) = T, we have (r(gi,..., ^n))^ = (T, Qn)- Moreover, in 
case r{ql, ... ,gL) = T, we have (r(^,... ,^))'^ = (T,Q). 

Now, the lemma follows from choosing r = g{pi, - ■ - ,Pk) and remarking that we have 
{9{Pi,---,Pk))^ = h{Pi,---:Pk)- □ 


As in the case of GFP-models the semantics of a Bohm tree is defined in terms of its 
truncations: |BT(M)]y^ = /\{IBT(M) Injfc I ^ ^ "bhe subtle difference is that now 
and do not have the same meaning. Nevertheless, the analog of Proposition 2.4 still holds 
in JC. 


Theorem 4.29. For very dosed term M of type 0." [M]y^ = lBT{M)lj^. 

Proof. First we show that < [i?T(M)]y^. For this, we proceed with the classical finite 

approximation technique. We thus define a finite approximation of the Bohm tree. The 
Abstract Bohm tree up to depth I of a term M, denoted ABTi(M), will be a term obtained 
by reducing M till it resembles BT{M) up to depth I as much as possible. We define it by 
induction: 

• ABTo{M) = M; 

• ABTi^i{M) is M if M does not have head normal form, 

otherwise it is a term \x.NqABTi{Ni) ... ABTi{Nk), where Ax.A^oiVi •.. Nk is the head 
normal form of M. 

Since ABTi{M) is obtained from M by a sequence of /?(5-reductions, |M]y^ = lABTi{M)ji^ 
for every 1. We now show that for every term M and every 1: 

lABTi{M)j^ < lBT{M)Uj^. 

Up to depth I, the two terms have the same structure as trees. We will see that the meaning 
of every leaf in ABTi(M) is not bigger than the meaning of the corresponding leaf of 
BT(M) fi. For leaves of depth I this is trivial since on the one hand we have a term and on 
the other the constant u. For other leaves, the terms are either identical and thus have the 
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same interpretation or on one side we have a term without head normal form and on the 
other and thus, according to Proposition 4.27 also have the same interpretation. 


The desired inequality follows now directly from the dehnition of 

the semantics of BT{M) since = \ABTi{M)\f^ < \BT{M)\,i\j^ for every I G N; and 

iBTiM)}^ = MlBT{M)Uj,c M e N}. 

For the inequality in the other direction, we also use a classical method that consists of 
working with finite unfoldings of the Y combinators. Observe that if a term M does not 
have Y combinators, then it is strongly normalizing and the theorem is trivial. So we need 
be able to deal with Y combinators in M. For this we introduce new constants cn for every 
subterm YN oi M. The type of cat is a —)> /3 if /? is the type of and a = ai... is the 
sequence of types of the sequence of free variables x = xi ... Xk occurring in YN. We let 
the semantics of a constant cat be 

icnIic = 


First we need to check that indeed |cAr]y^ is in /C. For this we have prepared Lemma 4.28 
Indeed {cnIjc = ■■■Pk- 

Lemma 


,Pk 


, for / = Xp. So |cAr]y^ is h from 


4.28 


and [cArJx) = [wlyc is g from that lemma. The lemma additionally gives us 


that for every pi,... ,Pfc,gi, 




= -L 


(4.2) 


(T,Qo) if [cArli,(Pi,.. 

if [cArli,(pi,.. 

We now define term iterate^{N) for very n G N. 

iterate^ (N) =cnx 
iterate'^~^^{N) =N{iterate^{N)) . 

where x is the vector of variables free in N. Notice that when replacing cat in iterate^{N) 
by Xx.YN we obtain a term that is /3(5-convertible to YN. 

From the definition of the fixpoint operator in /C and the fact that /C/j is finite it 
follows that |AT. iterat^{N)\ = |Ax.TAI] for some n. Now we can apply this identity to 
all fixpoint subterms in M starting from the innermost subterms. So the term expandP{M) 
is obtained by repeatedly replacing occurrences of subterms of the form TAi in M by 
iterate'’{N) starting from the innermost occurrences. Now taking n so that for every N 
occurring in M, |AT. iterate'^{N)\ = lAT.TA^J, we obtain |M]y^ = \expan(r' 

We come back to the proof. The missing inequality will be obtained from 

[Ml^ = lexpanr{M)\^ = {BT{expand "> [i?T(M)]^ . 

The first equality we have discussed above. The second is trivial since expand" {M) does not 
have fixpoints. To hnish the proof it remains to show \BT{expand"{M ))\jq > \BT{M)\f^. 

Let us denote BT{expand"{M)) by P. So P is a term of type 0 in a normal form without 
occurrences of Y. For a term K let K stand for a term obtained from K by simultaneously 


replacing cat by Xx.YN. Because of Lemma 4.18, we have |cAr]yc > [Ax.TAiJy^ which also 
implies that Moreover, as we have remarked above that replacing cat in 

iterate"{N) by Xx.YN gives a term /^^-convertible to YN, we have that P is /3(f-convertible 
to M. It then follows that BT{P) = BT{M). We need to show that > lBT{P)'lj^. 
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Let US compare the trees BT{P) and BT(P) by looking on every path starting from 
the root. The first difference appears when a node v of BT{P) is labeled with cat for some 
N. Say that the subterm of P rooted in v is c^Ki ... Ki. Then at the same position in 
BT[P) we have the Bohm tree of the term [Xx.YN)Ki... K^. Observe that both terms are 
closed and of type 0. This is because on the path from the root of BT{P) to v we have only 
seen constants of type 0 —)• 0 —)• 0; similarly for BT(P). We will be done if we show that 
{cnKi ... Kij^ > lBT{i\x.YN)Ki... Ki)j^. 

We reason by cases. If {c^Ki... Kijjy = T then equation (4.2) gives us IcjyKi... = 

(T, Q). So the desired inequality holds since (T, Q) is the greatest element of JCq. 

If {cnKi ... Kijj^ = T then |cAr.^i... Kijjj = T since By equation ( [4^ 

we get |c 7 v.^i • • • = (T, Qn). Since, by the definition of the fixpoint opera tor, > 

[Ax. TiV]^ we get {YNKi... Kih^^ = (T,Qq). But then Proposition 4 
YNKi ...Ki is unsolvable. Thus lBT{{XxNY)Ki ... Ki)j^ = [H]^ = (T, Qn). 

Theorem 4.30. Let A be an insightful TAC automaton with the set of states Q, initial 
state , and Qn the set of states from which A accepts the constant 11. Let K, = /C(Q, Qn) 


implies that 
□ 


he a model as in Definition \4.2S\ where the constants have the interpretation p given page 
For every closed term M of type 0.' 

BT{M) G L{A) iff is in the second component oflMj/^. 

Proof. The proof is very similar to the case of blind TAC automata (Proposition |3.2|) . The 
difference here is that we rely on Theorem 4.29 for our model /C, moreover the constants tv 
and n are handled separately. For completeness we spell out the argument in full, if only to 
see where these modifications intervene. 


For the left to right implication suppose that A accepts BT(M). Since, by Theorem 4.29 
[M] = lBT{M)l it is enough to show that q^, that is the initial state of A, is in the second 
component of |Br(M)]. For this we show that q^ is in the second component of |BT(M)[,;] 
for every I £ M. 

The tree BT{M) is a ranked tree labeled with constants from the signature. The run 
of Al is a function r assigning to every node a state of A. Recall that the tree BT{M)fi is 
a prefix of this tree containing nodes up to depth 1. Let us call it t/. Every node v in the 
domain of f corresponds to a subterm of BT{M)fi that we denote 

By induction on the height of v we show that r{v) appears in the second component of 
[M(,]. This will show the left to right implication. If u is a leaf at depth I then is 
We are done since [w®] = (T, Q). If u is a leaf of depth smaller than I then is or a 
constant c of type 0. In the latter case by definition of a run, we have r{v) G {q \ 6{q, c) = tt}. 
We are done by the semantics of c in the model. If is then [M^J = (T,Qq) and 
r{v) belongs to Qn by definition of the run. The last case is when v is an internal node of 
the tree ti. In this case where a is the constant labeling v in ti. By the 

induction assumption we have that r{vi) appears in the second component of [M^J, and we 
are done by using the semantics of a. 

For the direction from right to left we suppose that q^ is in the second component of 
[MJ. By Theorem 4.29[ |M] = lBT{M)j. We will construct a run of A on BT{M). 

If M does not have head normal form then [M] = (T, Qn) by Proposition 4.27 In this 
case BT{M) is the tree consisting only of the root labeled 11^. Hence q^ G Qn and we are 
done. 
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Otherwise BT(M) has some letter a in the root. In case it is a leaf, the conclusion is 
immediate. In case it is a binary symbol, M aMiM 2 for some Mi, M 2 . Now, as qq is in 
the second component of |M], by definition of |a], it must be the case that qi and q 2 are 
in the second components of |Mi] and IM 2 ], respectively. We put r(l) = qi and r(2) = q 2 
and repeat the argument starting from the nodes 1 and 2 respectively. It is easy to see that 
this inductive procedure gives a, potentially infinite, run of A. Hence BT{M) G L{A) as by 
construction the run of A is accepting. □ 


5. Reflection operation 

The idea behind the reflection operation is to transform a term into a term that monitors 
its computation: it is aware of the value in the model of the original term at every moment 
of computation. This monitoring simply amounts to adding an extra labelling to constants 
that reflect those values. Formally, we express this by the notion of a reflective Bohm tree 
defined below. The definition can be made more general but we will be interested only in 
the case of terms of type 0. In this section we will show that reflective Bohm trees can be 
generated by AT-terms. 

As usual we suppose that we are working with a fixed tree signature S. We will also need 
a signature where constants are annotated with elements of the model. If 5 = {{Sa}a&TT p) 
is a hnitary model then the extended signature contains constants a® where a is a 
constant in S (either nullary or binary) and s G 5o; so semantic annotations are possible 
interpretations of terms of type 0 in 5. 

Definition 5.1. Let 5 be a Unitary model, and M a closed term of type 0, rBTs{M), the 
reflective Bohm tree of M with respect to S, is obtained in the following way: 

• If M —>-^5 bNiN2 for some constant 6 : 0 — )• 0 — )• 0 then rBTs{M) is a tree having the 

root labelled by having rBTs{Ni) and rBTs{N 2 ) as subtrees. 

• If M c for some constant c : 0 then rBTs{M) = 

• Otherwise, M is unsolvable and rBT{M) = 12^. 

To see the intention behind this definition suppose that the model S has the property: 
[A^l^ = [Rr(A^)]^ for every term N. In this case the superscript annotation of a node 
in rBTs{M) is just the value of the subtree from this node. When, moreover, the model 
S recognizes a given property then the superscript determines if the subtree satisfies the 
property. For example, GFP-models, as well as models /C we have constructed in the last 
section will behave this way. 

We will use terms to generate reflective Bohm trees. 

Definition 5.2. Let S be a tree signature, and let 5 be a hnitary model. For M a closed 
term of type 0 over the signature S. We say that a term M' over the signature is a 
reflection of M in S if BT{M') = rBT{M). 

The objective of this section is to construct rehections of terms. Since AT-terms 
can be translated to schemes and vice versa, the construction is working for schemes 
too. (Translations between schemes and AT-terms that do not increase the type order are 
presented in |SW12| i. 

Let us hx a tree signature S and a hnitary model S. For the construction of rehective 
terms we enrich the AT-calculus with some syntactic sugar. Consider a type a. The set 
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Sa is finite for every type a; say Sa = {di,..., d^}- We will introduce a new atomic type 
[a] and constants di,... ,dk of this type; there will be no harm in using the same names 
for constants and elements of the model. We do this for every type a and consider terms 
over this extended type discipline. Notice that there are no other closed normal terms than 
di,...,dk of type [a]. 

Given a term M of type [a] and Mi, ... Mn which are all terms of type /?, we introduce 
the construct 

case^Mjdi 

which is a term of type /? and which reduces to Mi when M = di. This construct is simple 
syntactic sugar since we may represent the term di of type [a] with the projection 
Axi ... Xn-Xi by letting [a] = 0^ —)■ 0 then, when /3 = /3i —)•••• 0, case^ can be 

defined as the A-term 

Ayf • • • • • • fk-d{fiyi ■■■Vn)--- UkVl ■■■Vn) ■ 

When M represents di, i.e. is equal to Axi .. .Xn-Xi, the term 

• • • yn"-M{Miyi ...yn)... {Mkyi ...!/„) 

is /Jry-convertible to Mj which represents well the semantic of the case^ construct. In the 
sequel, we shall omit the type annotation on the case construct. 

We define a transformation on types a* by induction on their structure as follows; 

a* = a when a is atomic 
(a —)• /?)* = a* —)■ [a] —)■ /?* 

The type translation (•)* makes every function dependent on the semantics of its argument. 

The translation we are looking for will be an instance of a more general translation 
[M, u] of a term M of type a into a term of type a*, where u is a valuation over S. 

[Ax“.M,u] =Ax“‘Ay[“l. 

case [M,v[d/x°]]}deSo, 

[MN,v] =[M,v] [iV,u] [iVf 

[a,u] =Ax?Ayf Ax2Ay^°l 

case yf\di case yP{d 2 "'MiX2}d2ecSo}rfie5o 

when a is a binary constant 

[a, v] when a is a nullary constant 

=y(“‘^“‘)^“*(Ax“*.[M,u]x“‘|yMf) . 

The transformation of the terms propagates semantic information. In the case of A- 
abstraction, the extra-semantic argument is checked and in each branch the valuation 
is updated accordingly. In the case of application, we need to give the extra semantic 
parameter, so we simply give the interpretation of the argument in the model. For constants, 
the term tests the value of each of the argument and then sends the correctly annotated 
constant. For variables, we just need to update their types. Finally for fixpoints, we type 
them with (a* —)• a*) —)■ a*. When M is the argument of a fixpoint, the type of the term 
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[M, d], is {a —)> a)* = a* —>■ [a] —)• a*. We thus take as an argument of the 

term of type a* —)• a*: Ax" . [M,v]x°‘ because the semantics of the argument of 

[M, v\ is, by definition of a fixpoint, the semantics of yM. 

To prove correctness of this translation, we need two lemmas. 


Lemma 5.3. Given a term M and a valuation v, and the terms Ni, ..., Nn we have the 
following identity: 

[Ma,v] = [M, u'] a' , 

where a = ..., is a substitution, o' = [[Wj'w] , [Nn,v] /x”"] and 

v' = vmr/xT,---,iNnr/<"]- 


Proof. We proceed by induction on the structure of M. We will only show the case of 
A-abstraction, the others being similar. 

In case M = Ax".A/ (we assume that x" is different from the variables x"* used in the 
substitution), then [Ax".Mcr,u] = Ax"*y["l.case —)• Mu,u[//x"]}/g 5 ^. By induction 

we have that, for every / in Ma [Mu, u[//x"]] = [M, u'[//x"]] o'. But, 

[Ax".M,u']u' = (Ax"*?/t"lcase y["]{/[M,u'[//x"]]}/ 65 ^)cr' 

= Ax"*case [M,u'[//x"]] 

= Ax"‘?/["lcase ^ [Mu, u[//x"]]}/ 65 ^ 

= [Ax".Mu, u] . □ 

We can now show that the translation is compatible with head (35 reduction. 

Lemma 5.4. If M M', then [M,v] [M',v]. 


Proof. We proceed by induction on the structure of M. We only treat the cases where M is a 
redex, the other cases being trivial by induction. We are left with two cases: M = (Ax".P)Q 
and M = 

In case M = {Xx°‘.P)Q, we have that M' = P[Q/x°‘], and using the Lemma 5.3 we have 
that [M',v] = [P, u[|(5]’^/x"]] [[Q,v\ /x"]. But then we have 


[M,v] = [Ax".P,u][Q,u][Qf 

= (Ax"* 2 /["l.case y["]{/ ^ [P, u[//x"]]}/65j [Q,v] IQf 

[P,u[[Qr/x“]][[Q,u]/x"] 

= [M',v] . 

In case M = -we have M' = PM and: 

[M, v] = y(«*^«*)^«* (Ax"*. [P, v] x"* |Mf ) 
(Ax"*.[P,u]x"*lMf)[M,u] 

[P,u][M,u][Mf 
= [PM, v] 

= [M',v] . □ 


Corollary 5.5. Given a term M of type 0 and a valuation v: 

M aMiMs iff [M, u] [Mi, u] [Ma, v] . 
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Proof. The direction from left to right is a simple consequence of Lemma 5.4 For the 
direction from right to left, we use the well-known fact (see |Sta04j ) that a AT-term has 
a head normal form iff it can be head-reduced to a head normal form. Let us suppose 
that [M, v\ reduces to P 1 P 2 in k steps of head-reduction. There are two cases. In 
case M has no head normal form, then let P be a term obtained fro m M by A; -|- 1 steps 
of /36 reduction, in symbols . By an iterative use of Lemma 5.4, we must have 

[M, v\ — [P, v\ with k < m. A contradiction since P is not a head-normal form. The 
second case is when M has a head-normal form. So after some number of steps of head 


/Id-reduction we obtain bNiN 2 . A simple use of Lemma 5.4 gives that b = a, Pi = [A^i,u] 
and P 2 = [N 2 ,v]. □ 

A direct inductive argument using the above corollary gives us the main result of this 
section. 

Theorem 5.6. For every finitary model S and a closed term M of type 0.' 

PT([M,0]) = rBTs{M) . 


Remark: If the divergence can be observed in the model S (as it is the case for GFP models 
and for the model JC, cf. Proposition 4.27) then in the translation above we could add the 
rule [M, u] = 17 whenever denotes a diverging term. We would obtain a term which 

would always converge. A different construction for achieving the same goal is proposed 
in |Hadl2| . 


Remark: Even though the presented translation preserves the structure of a term, it makes 
the term much bigger due to the case construction in the clause for A-abstraction. The 
blow-up is unavoidable due to complexity lower-bounds on the model-checking problem. 
Nevertheless, one can try to limit the use of the case construct. We present below a slightly 
more efficient translation that takes the value of the known arguments into account and 
thus avoids the unnecessary use of the case construction. For this, the translation is now 
parametrized also with a stack of values from S so as to recall the values taken by the 
arguments. For the sake of simplicity, we also assume that the constants always have all their 
arguments (this can be achieved by putting the A-term in 77 -long form). This translation is 
essentially obtained from the previous one by techniques of constant propagation as used in 
partial evaluation jJGSMj. 


[Ax“.M,u,d :: 5] 
[Ax“.M, V, e] 
[MN, V, S] 
[a,v,di :: ^2 :: e] 
[a,v\ 
[x^,v,S] 
[YM,v,S] 


Aa:"*y[“l.[M,u[d/x"],P] 

Ax"*y[“lease y^^^fd [M, u[d/x"], 

[M,u,[iVf ::S] [N,v,e] |iVf 

Ax 5 Ay[°[Ax 2 Ay 2 '^. xiX 2 when a is a binary constant 

when a is a nullary constant 
x"* 

Y[M,v,lYMr ::S] 
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6. Conclusions 

We have considered the class of properties expressible by TAG automata. These automata 
can talk about divergence as opposed to fl-blind TAG automata that are usually considered 
in the literature. We have given some example properties that require TAG automata 
that are not ri-blind (cf. page . We have presented the model-based approach to model¬ 
checking problem for TAG automata. While a priori it is more difficult to construct a 
finitary model than to come up with a decision procedure, in our opinion this additional 
effort is justified. It allows, as we show here, to use the techniques of the theory of the 
A-calculus. It opens new ways of looking at the algorithmics of the model-checking problem. 
Since typing in intersection type systems |Kob09b] and step functions in models are in 
direct correspondence |SMGB12| . the model-based approach can also benefit from all the 
developments in algorithms based on typing. Finally, this approach allows us to get new 
constructions as demonstrated by our transformation of a scheme to a scheme reflecting a 
given property. Observe that this transformation is general and does not depend on our 
particular model. 

As we have seen, the model-based approach is particularly straightforward for Q- 
blind TAG automata. It uses standard observations on models of the AT-calculus and 
Proposition |3 . 2| with a simple inductive proof. The model we propose for insightful automata 
may seem involved; nevertheless, the construction is based on simple and standard techniques. 
Moreover, this model implements an interesting interaction between components. It succeeds 
in mixing a GFP model for fl-blind automaton with the model D for detecting solvability. 

The approach using models opens several new perspectives. One can try to characterize 
which kinds of fixpoints correspond to which class of automata conditions. More generally, 
models hint a possibility to have an Eilenberg like variety theory for lambda-terms |Eil74] . 
This theory would cover infinite regular words and trees too as they can be represented 
by AT-terms. Einally, considering model-checking algorithms, the model-based approach 
puts a focus on computing fixpoints in finite partial orders. This means that a number 
of techniques, ranging from under/over-approximations, to program optimization can be 
applied. 
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